We’ve seen the news reports: A business announces that customers’ information was stolen from the retailer’s computer system by hackers or other criminals. Retailers break this bad news so that consumers can take action to protect their banking, credit-card or personal information.
What protection would Wisconsinites receive in the event of a data breach?
Not as much as you’d think, and surely not what most of us would consider the bare minimum.
Wisconsin’s consumer-protection laws with regard to data breaches are from 2006, before anyone not then a college student could be on Facebook, and before most of us – whether president of the United States or ordinary citizen — knew Twitter even existed.
According to a May report on data breach risks, recovery and regulation released by the Wisconsin Legislative Reference Bureau, personal data is stolen by hackers on a constant basis, Wisconsin Public Radio.org reported May 22. The report says research shows that within the next two years, the probability of a significant breach at any given business or nonprofit organization is about 30 percent. In 2017, the Reference Bureau notes, there were 1,579 data breaches that exposed nearly 179 million personal records.
The LRB report also cites a state-by-state comparison of data breach laws by Digital Guardian, an information security company. The firm ranked the Badger State’s laws as “less strict” than other states. Only Kentucky and Mississippi had a lower ranking.
We’d rather Wisconsin compete with Kentucky for the top of the college basketball hill, not for the bottom of the field of consumer protection against data breaches.
At the very least, companies that don’t alert customers that a data breach has occurred should be penalized; current Wisconsin law doesn’t even do that.
“While the law instructs businesses and other organizations to notify consumers within 45 days that a data breach occurs,” said Lara Sutherlin, an administrator at the state Department of Agriculture, Trade and Consumer Protection, “what’s significant about that law is there’s no enforcement mechanism. So, if no one does any notification there’s no provision in the law that allows the state to enforce it. There’s no requirement that they even tell the attorney general or the Department of Agriculture, Trade and Consumer Protection that a breach occurred.
“So, it’s a law that has some prescriptions but very little teeth, which makes it hard to actually be effective.”
According to the Legislative Reference Bureau report, Wisconsin’s data breach laws are unclear on whether companies that don’t report can face lawsuits for negligence. According to the statute, “failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.”
While reporting breaches to the state isn’t required, Sutherland said many companies do report such breaches to the DATCP, which is then able to help warn potential victims of identity theft. Sutherlin said consumers concerned about their data security can contact DATCP and speak with members of their identity theft team.
That’s good to hear, but it’s not good enough.
The state Assembly and Senate should introduce and pass, and Gov. Tony Evers should sign into law, legislation that gets state consumer protections with regard to data breaches up to speed.